MDEV-12484 Enable unix socket authentication by default

Change the default authentication for root@localhost to IDENTIFIED VIA mysql_native_password USING 'invalid' OR unix_socket which provides secure passwordless login, while still allowing SET PASSWORD to work as expected. Also create a second all-privilege account for the user that owns datadir (and thus has full access to the data anyway). Compile unix_socket plugin statically into the server.
2025-01-29 02:05:57 +01:00 · 2019-02-05 16:07:07 +01:00 · 2019-02-05 16:07:07 +01:00 · b9f3f06857
commit b9f3f06857
parent f07b76fcfd
9 changed files with 30 additions and 19 deletions
--- a/cmake/build_configurations/mysql_release.cmake
+++ b/cmake/build_configurations/mysql_release.cmake
@ -98,17 +98,20 @@ ELSEIF(RPM)
  SET(CHECKMODULE /usr/bin/checkmodule CACHE STRING "")
  SET(SEMODULE_PACKAGE /usr/bin/semodule_package CACHE STRING "")
  SET(WITH_LIBARCHIVE ON CACHE STRING "")
+  SET(PLUGIN_AUTH_SOCKET YES)
 ELSEIF(DEB)
  SET(WITH_SSL system CACHE STRING "")
  SET(WITH_ZLIB system CACHE STRING "")
  SET(WITH_LIBWRAP ON)
  SET(HAVE_EMBEDDED_PRIVILEGE_CONTROL ON)
  SET(WITH_LIBARCHIVE ON CACHE STRING "")
+  SET(PLUGIN_AUTH_SOCKET YES)
 ELSE()
  SET(WITH_SSL bundled CACHE STRING "")
  SET(WITH_ZLIB bundled CACHE STRING "")
  SET(WITH_JEMALLOC static CACHE STRING "")
  SET(WITH_LIBARCHIVE STATIC CACHE STRING "")
+  SET(PLUGIN_AUTH_SOCKET STATIC)
 ENDIF()

 IF(NOT COMPILATION_COMMENT)
--- a/mysql-test/main/failed_auth_unixsocket.result
+++ b/mysql-test/main/failed_auth_unixsocket.result
@ -8,6 +8,6 @@ flush privileges;
 connect(localhost,USER,,test,MASTER_PORT,MASTER_SOCKET);
 ERROR 28000: Access denied for user 'USER'@'localhost'
 ERROR 28000: Access denied for user 'USER'@'localhost'
-update mysql.global_priv set priv=json_remove(priv, '$.plugin');
+update mysql.global_priv set priv=json_compact(json_remove(priv, '$.plugin'));
 flush privileges;
 uninstall plugin unix_socket;
--- a/mysql-test/main/failed_auth_unixsocket.test
+++ b/mysql-test/main/failed_auth_unixsocket.test
@ -36,7 +36,7 @@ connect (fail,localhost,$USER);
 --error ER_ACCESS_DENIED_NO_PASSWORD_ERROR
 change_user $USER;

-update mysql.global_priv set priv=json_remove(priv, '$.plugin');
+update mysql.global_priv set priv=json_compact(json_remove(priv, '$.plugin'));
 flush privileges;
 uninstall plugin unix_socket;

--- a/mysql-test/main/mysql_upgrade-6984.result
+++ b/mysql-test/main/mysql_upgrade-6984.result
@ -63,6 +63,6 @@ test
 Phase 7/7: Running 'FLUSH PRIVILEGES'
 OK
 connect con1,localhost,root,foo,,,;
-update mysql.global_priv set priv=json_remove(priv, '$.plugin', '$.authentication_string');
+update mysql.global_priv set priv=json_compact(json_remove(priv, '$.plugin', '$.authentication_string'));
 flush privileges;
 set global event_scheduler=OFF;
--- a/mysql-test/main/mysql_upgrade-6984.test
+++ b/mysql-test/main/mysql_upgrade-6984.test
@ -17,7 +17,7 @@ update mysql.global_priv set priv=json_set(priv, '$.plugin', 'mysql_native_passw

 connect(con1,localhost,root,foo,,,);

-update mysql.global_priv set priv=json_remove(priv, '$.plugin', '$.authentication_string');
+update mysql.global_priv set priv=json_compact(json_remove(priv, '$.plugin', '$.authentication_string'));
 flush privileges;
 # Load event table
 set global event_scheduler=OFF;
--- a/mysql-test/suite/roles/i_s_applicable_roles_is_default.result
+++ b/mysql-test/suite/roles/i_s_applicable_roles_is_default.result
@ -78,4 +78,4 @@ drop role role3;
 drop role role2;
 drop role role1;
 drop user foo;
-update mysql.global_priv set priv=json_remove(priv, '$.default_role');
+update mysql.global_priv set priv=json_compact(json_remove(priv, '$.default_role'));
--- a/mysql-test/suite/roles/i_s_applicable_roles_is_default.test
+++ b/mysql-test/suite/roles/i_s_applicable_roles_is_default.test
@ -59,4 +59,4 @@ drop role role3;
 drop role role2;
 drop role role1;
 drop user foo;
-update mysql.global_priv set priv=json_remove(priv, '$.default_role');
+update mysql.global_priv set priv=json_compact(json_remove(priv, '$.default_role'));
--- a/scripts/mysql_install_db.sh
+++ b/scripts/mysql_install_db.sh
@ -37,8 +37,8 @@ force=0
 in_rpm=0
 ip_only=0
 cross_bootstrap=0
-auth_root_authentication_method=normal
-auth_root_socket_user='root'
+auth_root_authentication_method=socket
+auth_root_socket_user=""
 skip_test_db=0

 usage()
@ -46,17 +46,17 @@ usage()
  cat <<EOF
 Usage: $0 [OPTIONS]
  --auth-root-authentication-method=normal|socket
-                       Chooses the authentication method for the created initial
-                       root user. The default is 'normal' to creates a root user
-                       that can login without password, which can be insecure.
-                       The alternative 'socket' allows only the system root user
-                       to login as MariaDB root; this requires the unix socket
-                       authentication plugin.
+                       Chooses the authentication method for the created
+                       initial root user. The historical behavior is 'normal'
+                       to creates a root user that can login without password,
+                       which can be insecure. The default behavior 'socket'
+                       sets an invalid root password but allows the system root
+                       user to login as MariaDB root without a password.
  --auth-root-socket-user=user
                       Used with --auth-root-authentication-method=socket. It
-                       specifies the name of the MariaDB root account, as well
-                       as of the system account allowed to access it. Defaults
-                       to 'root'.
+                       specifies the name of the second MariaDB root account,
+                       as well as of the system account allowed to access it.
+                       Defaults to the value of --user.
  --basedir=path       The path to the MariaDB installation directory.
  --builddir=path      If using --srcdir with out-of-directory builds, you
                       will need to set this to the location of the build
@ -505,6 +505,11 @@ cat_sql()
 {
  echo "use mysql;"

+  # Use $auth_root_socket_user if explicitly specified.
+  # Otherwise use the owner of datadir - ${user:-$USER}
+  # Use 'root' as a fallback
+  auth_root_socket_user=${auth_root_socket_user:-${user:-${USER:-root}}}
+
  case "$auth_root_authentication_method" in
    normal)
      echo "SET @auth_root_socket=NULL;"
--- a/scripts/mysql_system_tables_data.sql
+++ b/scripts/mysql_system_tables_data.sql
@ -25,7 +25,9 @@
 -- add escape character in front of wildcard character to convert "_" or "%" to
 -- a plain character
 SELECT LOWER( REPLACE((SELECT REPLACE(@@hostname,'_','\_')),'%','\%') )INTO @current_hostname;
-SELECT json_object('access',cast(-1 as unsigned)) INTO @all_privileges;
+SELECT '{"access":18446744073709551615}' INTO @all_privileges;
+SELECT '{"access":18446744073709551615,"plugin":"mysql_native_password","authentication_string":"invalid","auth_or":[{},{"plugin":"unix_socket"}]}' into @all_with_auth;
+

 -- Fill "global_priv" table with default users allowing root access
 -- from local machine if "global_priv" table didn't exist before
@ -37,7 +39,8 @@ REPLACE INTO tmp_user_nopasswd SELECT @current_hostname,'root',@all_privileges F
 REPLACE INTO tmp_user_nopasswd VALUES ('127.0.0.1','root',@all_privileges);
 REPLACE INTO tmp_user_nopasswd VALUES ('::1','root',@all_privileges);
 -- More secure root account using unix socket auth.
-INSERT INTO tmp_user_socket VALUES ('localhost',IFNULL(@auth_root_socket, 'root'),json_set(@all_privileges, '$.plugin', 'unix_socket'));
+INSERT INTO tmp_user_socket VALUES ('localhost', 'root',@all_with_auth);
+REPLACE INTO tmp_user_socket VALUES ('localhost',IFNULL(@auth_root_socket, 'root'),@all_with_auth);
 IF @auth_root_socket is not null THEN
  IF not exists(select 1 from information_schema.plugins where plugin_name='unix_socket') THEN
     INSTALL SONAME 'auth_socket'; END IF; END IF;